Thieves look for ways to steal valuable data by targeting the least secure point of potential entry, whether that's a software problem or a well-meaning employee. Here are three examples of fraud schemes that don’t require sophisticated cyberskills.

Rafael Lourenco, executive vice president, ClearSale

Rafael Lourenco, executive vice president, ClearSale

Fraud is a bigger problem than ever in the digital era, as organized criminals exploit weaknesses in online security to commit crimes like data breaches and credit card fraud. However, the rising tide of online fraud doesn’t mean low-tech fraud is a thing of the past. Here are a few types of fraud that show why organizations’ fraud prevention practices must extend beyond the digital sphere.

Change of address fraud targets consumers and companies

One way criminals can access consumers’ bank, credit card, and other personal data is to steal their mail, and the most efficient way to do this is by filing fraudulent change-of-address cards for individuals. People from Utah to Florida have been targeted for this type of attack in 2018, resulting in identity theft, stolen packages, and hours of phone calls and follow-ups with credit bureaus, banks, and retailers to sort through the damage.

Merchants should have an agreement with their shipping carriers that all customer requests for post-purchase package rerouting must be approved by the merchant.

Companies are at risk for this type of mail diversion, too. In May, federal prosecutors charged an Illinois man with mail theft and fraud after he allegedly used a change-of-address card to reroute mail from UPS’ global headquarters in Atlanta to his Chicago apartment. According to the complaint, the accused man received thousands of pieces of mail meant for the giant shipping firm, including about $58,000 in checks that prosecutors say he deposited into his own account. The US Postal Service discovered the fraudulent address change only after an inquiry from UPS, nearly three months after the address change took effect.

The Postal Service told NPR News that fewer than one-tenth of one percent of the 37 million change-of-address forms it processed last year were reported as possible fraud, and not all the reported cases were confirmed as fraud. But if a company the size of UPS can fall victim to this type of scam, all organizations should review their mail security practices—or implement them. For example, if your business receives no mail or dramatically less mail than usual for more than a couple of days, it’s time to reach out to the local post office to see if there’s been a diversion or theft. Incoming and outgoing mail should be kept in a secure place where passersby, visitors, and unauthorized personnel can’t access it.

advertisement

Post-purchase shipping fraud hits online merchants

One relatively low-tech fraud approach we sometimes see in the e-commerce fraud prevention industry is a type of shipping fraud that exploits retailers’ customer service departments and shipping partners. It works like this: Criminals want to buy goods for resale using stolen consumer information, but they know that if they enter their own shipping address, the retailer’s fraud-detection system will flag the order as possible fraud and it will probably be rejected. So the criminals place the order using use the victim’s shipping address so the system doesn’t detect a discrepancy. Then, after the order is approved, the thieves contact the retailer’s customer service (or the shipping company) and request that the package go to a new address, knowing that the new address probably won’t be screened for fraud.

To combat this type of fraud, retailers must train their customer service team to send post-purchase shipping change requests to the fraud team for screening. Merchants should also have an agreement with their shipping carriers that all customer requests for post-purchase package rerouting must be approved by the merchant before they can take effect.

Customer impersonation targets customer service teams

Mail and shipping exploits aren’t the only types of low-tech fraud. One of the most dramatic international security breaches in recent years happened because a UK teenager pretended to be someone else on the phone and got away with it. Earlier this year, the teen was sentenced to two years in youth detention for breaking into the email accounts of then-CIA head John Brennan and other US intelligence officials in 2015 and 2016.

He did so, prosecutors said, by impersonating his victims in phone calls to Comcast and Verizon, and persuading customer service reps to reset their email account credentials. The teen then harassed his victims, accessed sensitive information about US intelligence and military operations, and leaked information online. The clear prevention strategy for this type of phone-based fraud is to train your organization’s customer service reps never to reset customer passwords or other account credentials over the phone, no matter who the caller claims to be.

The lesson of low-tech fraud is that thieves look for ways to steal valuable data by targeting the least secure point of potential entry, whether that’s a software problem or a well-meaning employee. The solution for merchants and other businesses is to have multiple layers of fraud protection for transactions and other data. In addition, companies should train their employees to talk to their fraud and security teams when they notice something unusual or get a customer request to change account credentials. Communication is a low-tech but effective way to prevent low-tech fraud.

advertisement

ClearSale provides online retailers with fraud-prevention technology and services designed to protect against chargebacks.

Favorite